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DEPARTMENT OF EDUCATION 

34 CFR Part 99 
RIN 1855-AAOO 

Family Educational Rights and Privacy 
Act 

AGENCY: Office of Innovation and 
Improvement; Department of Education. 
ACTION: Final regulations. 

SUMMARY: The Secretary amends 34 CFR 
part 99 to implement the Department’s 
interpretation of the Family Educational 
Rights and Privacy Act (FERPA) 
identified through administrative 
experience as necessary for proper 
program operation. These final 
regulations provide general guidelines 
for accepting “signed and dated written 
consent” under FERPA in electronic 
format. 

DATES: These regulations are effective 
May 21, 2004. 

FOR FURTHER INFORMATION CONTACT: 

Kathleen Wolan, U.S. Department of 
Education, 400 Maryland Avenue, SW., 
room 2W115, Washington, DC 20202- 
5901. Telephone: (202) 260-3887. 

If you use a telecommunications 
device for the deaf (TDD), you may call 
the Eederal Information Relay Service 
(EIRS) at 1-800-877-8339. 

Individuals with disabilities may 
obtain this document in an alternative 
format (e.g., Braille, large print, 
audiotape, or computer diskette) on 
request to the contact person listed 
under FOR FURTHER INFORMATION 
CONTACT. 

SUPPLEMENTARY INFORMATION: On July 
28, 2003, the Secretary published a 
notice of proposed rulemaking (NPRM) 
for this amendment in the Federal 
Register (68 ER 44420). In the preamble 
to the NPRM, we invited interested 
persons to submit comments concerning 
the proposed change. We proposed to 
add § 99.30(d) in order to provide 
general guidelines for educational 
agencies and institutions that choose to 
meet the requirements of § 99.30 with 
records and signatures in electronic 
format. 

We reviewed guidance for electronic 
signatures recently published by a 
variety of Federal Government sources, 
including the Office of Management and 
Budget (0MB), the General Services 
Administration, and the National 
Institute for Standards and Technology. 
Based on that review and comments 
received from school officials, we 
believe it is necessary to modify these 
final regulations. We modified these 
regulations to reflect the definition of 
“electronic signature” established in the 


Government Paperwork Elimination Act 
(GPEA), Public Law 105-277, Title XVII, 
Section 1710. 

Electronic signatures are an area of 
rapidly evolving technology. These 
modified regulations provide more fluid 
and flexible standards for schools that 
choose to implement a process for 
accepting electronic signatures. These 
modified regulations permit schools to 
take advantage of changing technology 
as it may become available, whether the 
change concerns additional security 
provisions or enhanced customer 
service. 

Analysis of Comments and Changes 

In response to the Secretary’s 
invitation in the NPRM, 16 parties 
submitted comments on the proposed 
regulations. We publish an analysis of 
the comments and of the changes in the 
regulations since publication of the 
NPRM as an appendix at the end of 
these final regulations. We discuss 
substantive issues under the sections of 
the regulations to which they pertain. 
Generally, we do not address technical 
and other minor changes and suggested 
changes the law does not authorize the 
Secretary to make. However, we have 
reviewed these regulations since 
publication of the NPRM and have made 
changes as follows: 

Acceptance of signature in electronic 
form (§ 99.30) 

Comments: None. 

Discussion: Electronic formats for 
signatures and documents are changing 
rapidly and substantially in response to 
evolving technologies and public 
acceptance. We wish to provide the 
widest possible flexibility for schools to 
adapt to such changes yet retain a 
methodology that operates within 
FERPA’s requirements for proper 
disclosure of education records. Because 
FERPA applies to educational agencies 
and institutions at all levels, we do not 
want these regulations to inadvertently 
impose standards on elementary and 
secondary schools that may be valid 
only for postsecondary schools under 
Federal student aid programs. 

Based on our review of standards 
acceptable to other areas of the Federal 
Government, including OMB circulars 
and Federal Student Aid (FSA) 
guidance for electronic student loan 
transactions, as well as standards 
established by laws such as the 
Electronic Signatures in Global and 
National Commerce Act (E-Sign) and 
GPEA, we believe these modified 
regulations will more easily permit 
schools to adapt to changing standards 
in the areas of electronic signatures and 
documents. 


Changes: We have revised these 
regulations to be consistent with other 
Federal Government standards for 
“electronic signatures.” 

Executive Order 12866 

We have reviewed these final 
regulations in accordance with 
Executive Order 12866. Under the terms 
of the order we have assessed the 
potential costs and benefits of this 
regulatory action. 

The potential costs associated with 
these final regulations are those 
resulting from statutory requirements 
and those we have determined to be 
necessary for administering this 
program effectively and efficiently. 

In assessing the potential costs and 
benefits — both quantitative and 
qualitative — of these final regulations, 
we have determined that the benefits of 
the regulations justify the costs. 

Summary of Potential Costs and 
Benefits 

We summarized the potential costs 
and benefits of these final regulations in 
the preamble to the NPRM (68 PR 
44421). 

Paperwork Reduction Act of 1995 

These regulations do not contain any 
information collection requirements. 

Assessment of Educational Impact 

In the NPRM we requested comments 
on whether the proposed regulations 
would require transmission of 
information that any other agency or 
authority of the United States gathers or 
makes available. 

Based on the response to the NPRM 
and on our review, we have determined 
that these final regulations do not 
require transmission of information that 
any other agency or authority of the 
United States gathers or makes 
available. 

Electronic Access to This Document 

You may view this document, as well 
as all other Department of Education 
documents published in the Federal 
Register, in text or Adobe Portable 
Document Format (PDF) on the Internet 
at the following site: http://www.ed.gov/ 
news/fedregister. 

To use PDF you must have Adobe 
Acrobat Reader, which is available free 
at this site. If you have questions about 
using PDF, call the U.S. Government 
Printing Office (GPO), toll free, at 1- 
888-293-6498; or in the Washington, 
DG, area at (202) 512-1530. 

You may also find these regulations, 
as well as additional information about 
FERPA, on the following Web site: 
http://www.ed.gov/policy/gen/guid/ 
fpco/index.html. 




Federal Register/ Vol. 69, No. 77 /Wednesday, April 21, 2004/Rules and Regulations 


21671 


Note: The official version of this document 
is the document published in the Federal 
Register. Free Internet access to the official 
edition of the Federal Register and the Code 
of Federal Regulations is available on GPO 
Access at: http://www.gpoaccess.gov/nara/ 
index.html. 

(Catalog of Federal Domestic Assistance 
Number does not apply.) 

List of Subjects in 34 CFR Part 99 

Administrative practice and 
procedure, Education, Information, 
Parents, Privacy, Records, Reporting and 
recordkeeping requirements, Students. 

Dated: April 2, 2004. 

Rod Paige, 

Secretary of Education. 

■ For the reasons discussed in the 
preamble, the Secretary amends part 99 
of title 34 of the Code of Federal 
Regulations as follows: 

■ 1. The authority citation for part 99 
continues to read as follows: 

Authority: 20 U.S.C. 1232g, unless 
otherwise noted. 

■ 2. Section 99.30 is amended by adding 
a new paragraph (d) to read as follows: 

§ 99.30 Under what conditions is prior 
consent required to disclose information? 

***** 

(d) “Signed and dated written 
consent” under this part may include a 
record and signature in electronic form 
that — 

(1) Identifies and authenticates a 
particular person as the source of the 
electronic consent; and 

(2) Indicates such person’s approval 
of the information contained in the 
electronic consent. 

Appendix 

Analysis of Comments and Changes 

Note: The following appendix will not 
appear in the Code of Federal Regulations. 

Use at Multiple School Levels 

Comments: One commenter asked whether 
the proposed regulations apply only to 
eligible students at postsecondary 
institutions. 

Discussion: FERPA gives the right to 
consent to disclosure of education records to 
parents of minor children at the elementary 
and secondary school levels, and to parents 
of children with disabilities who receive 
services under Part B or Part C of the 
Individuals with Disabilities Education Act 
(IDEA). When a student turns 18 years of age 
or attends a postsecondary institution at any 
age, the student is considered an “eligible 
student” under FERPA. The right to consent 
under FERPA transfers under either of those 
two conditions from the parent to the eligible 
student. Although the term “eligible student” 
will be used throughout this document, 
educational agencies and institutions at all 
levels may use these regulations to accept 
electronic signatures. 


Change: None. 

Specific Methodologies 

Comments: Several commenters asked for 
more specific guidance on authentication 
methods and technologies that may he used. 

Discussion: As explained in the preamble 
to the NPRM, the regulations are 
purposefully narrow in scope and intended 
to be technology-neutral (page 44420). While 
we will issue additional guidance that will 
include further examples of an acceptable 
process, we do not want to limit the 
flexibility of schools in this area of rapid 
technological change. 

Change: None. 

Safe Harbor 

Comments: Several commenters support 
the use of the FSA standards for electronic 
signatures in electronic student loan 
transactions (FSA Standards) as a “safe 
harbor” provision for acceptance of 
electronic signatures in FERPA. Several other 
commenters objected to the FSA Standards as 
being too rigorous for the perceived level of 
risk of improper disclosure. The FSA 
Standards may be viewed on the Internet at 
the following site: http://www.ifap.ed.gov/ 
dpcletters/genOlOB.html. 

Discussion: The preamble to the NPRM 
stated (page 44421) that the FSA Standards 
would he the “safe harbor” provision. A “safe 
harbor” is not set at the minimally acceptable 
level of security. Due to the nature of the 
information that may be disclosed and the 
potential harm a student may suffer from an 
unauthorized disclosure, we believe the “safe 
harbor” provision is not unduly rigorous. 
Schools retain the flexibility to choose to 
implement a system that meets the “safe 
harbor” provisions or to choose to implement 
another system to meet the new FERPA 
provisions. 

However, schools should be reminded that 
Congress has also, through the Gramm-Leach- 
Bliley Act (GLB) (Pub.L. 106-102, November 
12, 1999), imposed additional privacy 
restrictions on financial institutions, which 
include postsecondary institutions, requiring 
institutions to protect against unauthorized 
access to, or use of, consumer records. The 
Federal Trade Commission’s (FTC) rule on 
the privacy of consumer financial 
information provides that postsecondary 
institutions that are complying with FERPA 
to protect the privacy of their student 
financial aid records will be deemed in 
compliance with the FTC’s rule. (65 FR 
33646, 33648 (May 24, 2000)). This 
exemption applies to notice requirements 
and the restrictions on a financial 
institution’s disclosure of nonpuhlic personal 
information to nonaffiliated third parties in 
Title V of GLB. However, postsecondary 
institutions are not exempt from the FTC 
final rule implementing section 501 of GLB 
on Safeguarding Customer Information. (67 
FR 368484 (May 23, 2002)). Financial 
institutions, including postsecondary 
institutions, are required to have adopted an 
information security program by May 23, 
2003, under the FTC rule. 

Thus, while schools have the maximum 
flexibility in choosing a system that meets 
FSA’s “safe harbor” provisions or another 


process for authenticating Personal 
Identification Number (PIN) numbers under 
FERPA, postsecondary institutions should 
keep these other Federal requirements in 
mind when implementing such systems. 

Change: None. 

Applicability of FSA Standards 

Comments: One commenter stated that it 
was confusing to apply the situations and 
terminology in the FSA Standards to FERPA. 
The commenter suggested that we issue a 
separate guide on FERPA standards. 

Discussion: The FSA Standards do not 
apply directly to FERPA because some 
actions are imposed only on lenders or 
borrowers of financial aid. For example, the 
FSA Standards require that paper copies of 
transactions be provided to a student 
borrower at no cost in some circumstances, 
and lenders are required to obtain a 
borrower’s specific consent to conduct loan 
transactions electronically. Neither of those 
circumstances has parallels within FERPA. 

We agree that some circumstances within 
the FSA Standards do not relate directly to 
FERPA. While schools are not required by 
FERPA to follow the FSA Standards, we 
believe that schools may use the set-up and 
security measures described in the FSA 
Standards, particularly sections 3 through 7, 
as guidance for security measures in a system 
using electronic records and signatures under 
FERPA. We do not plan to issue a separate 
FERPA standards document, hut we will 
clarify these items in additional guidance. 

Change: None. 

Use of “Trusted Third Party” in Identification 
Verification 

Comments: A commenter expressed a 
belief that disclosure by a school of student 
information without prior written consent to 
a “trusted third party” as part of an 
identification verification process may be in 
violation of FERPA. This commenter stated 
that the conflict arises because the FSA 
Standards specify that the third party may 
not he an agent of the school. 

Discussion: FSA authenticates student 
identification information with the Social 
Security Administration as a “trusted third 
party.” FERPA’s consent provisions do not 
apply to transactions between a student and 
FSA. 

In situations where a school is disclosing 
education records to a third party, FERPA’s 
consent provisions apply. When the third 
party receiving the information from the 
school is not an agent for the school, FERPA 
generally requires a school to obtain prior 
written consent before the disclosure is 
made. Receipt of the prior consent would 
then allow a school to disclose personal 
information for authentication purposes with 
the records of independent sources such as 
credit reporting agencies or testing 
companies. 

Schools may also choose to use other 
processes to authenticate identity. For 
example, a school may require the eligible 
student to present photographic 
identification issued by a government 
agency. Such photographic identification 
includes, hut is not limited to, a State-issued 
driver’s license, a federally-issued passport. 
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and other Military, Federal, or State-issued 
identification cards. 

Change: None. 

Issuing a PIN or Password 

Comments: One commenter stated that 
schools that issue a PIN to students as 
outlined in the FSA Standards can result in 
a PIN that is recorded and accessible to 
school officials. The commenter is concerned 
that this conflicts with FERPA policy that a 
PIN is not acceptable for use under FERPA 
if persons other than the student have access 
to the PIN. 

Discussion: The process described in the 
FSA Standards does not permit school 
officials to access a student’s PIN or 
password. In addition, the FSA Standards 
permit an eligible student to change an 
assigned password or PIN to one of their own 
choosing. Under the FSA Standards, all of 
the passwords or PINs, whether assigned or 
student-selected, are maintained in a secure 
database in an encrypted manner that is not 
generally accessible to school officials or 
other parties. 

A school that uses a similar methodology 
would remain in compliance with 
requirements for the acceptance of an 
electronic signature under FERPA. However, 
a school may not use a PIN or password 
process that results in a PIN or password that 
is visible and easily accessible to persons 
other than the eligible student because that 
type of process results in an insecure PIN or 
password. Schools retain the maximum 
flexibility to implement any appropriate 
methodology. 

Change: None. 

Use of Current Systems 

Comments: Several commenters asked 
whether it is acceptable to use existing 
systems that include sign-on capability, such 
as campus e-mail, admissions, enrollment, 
and fee payment systems. Several 
commenters also asked if it is acceptable to 
permit eligible students to provide notice of 
directory information opt-outs by use of 
electronic signatures. 

Discussion: As explained in the preamble 
to the NPRM, the requirements for an 
electronic signature apply in circumstances 
where a signed and dated written consent is 
required under FERPA (page 44420). Such 
consent is generally required under FERPA 
when information from education records is 
to be disclosed to a third party, as in the 
issuance of a transcript to a prospective 
employer. Consent is not a requirement for 


disclosure of an eligible student’s own 
records to the student. A school that wishes 
to use its current system for situations where 
FERPA consent is required must determine 
whether it provides the required level of 
security. 

The majority of the systems mentioned by 
the commenters are designed for 
communication between a school and an 
eligible student. Systems that permit eligible 
students to view, alter, or update the 
student’s own records by electronic means 
are not the subject of these regulations. A 
school must ensure that the eligible student 
and not some other party is the receiver of 
the information, but the method a school 
uses to do so is not prescribed by these 
regulations. 

Change: None. 

Third-Party Presentation of Electronic 
Signature 

Comments: Several commenters asked 
whether the proposed regulations are 
applicable when a third party, not the 
eligible student, presents the electronic 
signature claimed to be that of the eligible 
student. Two commenters expressed strong 
support for acceptance of electronic 
signatures presented by third parties, 
primarily when the third party is a 
government entity or another educational 
agency or institution. 

Discussion; Educational agencies and 
institutions are responsible to ensure that 
education records are disclosed only in 
accordance with FERPA. Any disclosure of 
education records to a third party, even in 
accordance with a student’s consent, is 
permitted but not required under FERPA. 
Each agency or institution must have the 
flexibility to decide whether a request for 
disclosure meets the requirements of FERPA 
and whether the institution wishes to make 
the requested disclosure. 

The FERPA regulations do not require that 
an eligible student provide his or her consent 
directly to the educational agency or 
institution, and these regulations do not 
impose a different requirement for electronic 
signatures. We would support an agency’s or 
institution’s decision to only accept 
electronic signatures presented on behalf of 
the eligible student by certain third parties, 
such as Federal or State agencies. 

Change: None. 

Application of Standards of Other Privacy 
Laws 

Comments: One commenter suggested that 
the standards of the Health Insurance 


Portability and Accountability Act of 1996 
(HIPAA) Privacy Rule for “protected health 
information” be applied to personally 
identifiable information contained in 
students’ education records. The commenter 
was concerned because personally 
identifiable information from students’ 
education records are disclosed by 
educational agencies and institutions to 
outside third parties who have grants to do 
research. The commenter stated that 
educational agencies and institutions do not 
recognize the concern for privacy of such 
data. 

Discussion: The HIPAA Privacy Rule, 
which is administered by the Department of 
Health and Human Services, excludes from 
the definition of “protected health 
information” two categories of records that 
are relevant here: “education records” 
covered by FERPA (34 CER 99.3 “Education 
records”) and records described under 
FERPA’s medical treatment records provision 
(34 CFR 99.3 “Education records”). See 45 
CFR 160.103(a). The HIPAA Privacy Rule 
does not cover such records because 
Congress, through FERPA, specifically has 
addressed how these records should be 
protected. As such, FERPA provides ample 
protections for these records and schools 
should ensure that health information, as 
well as other education records on students, 
are not disclosed to outside third parties 
without the consent of the student or under 
one of the exceptions to FERPA’s general 
prior consent rule. 

With regard to the commenter’s statement 
that educational agencies and institutions do 
not recognize the concern for privacy of 
student information, it has been our 
experience that the majority of the Nation’s 
schools do comply with FERPA and strive to 
protect the privacy of information contained 
in student records. FERPA is not a public 
open records or freedom of information 
statute. Rather, the purpose of FERPA is to 
protect the privacy interests of parents and 
eligible students in records maintained by 
educational agencies and institutions on the 
student. These privacy concerns should not 
be viewed as barriers to be minimized and 
overcome but important public safeguards to 
be protected and strengthened. 

Change: None. 

[FR Doc. 04-9054 Filed 4-20-04; 8:45 am] 
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